Forgot your password?
typodupeerror
Microsoft Privacy Windows Your Rights Online

Microsoft Denies Windows 8 App Spying Via SmartScreen 198

Posted by timothy
from the wall-of-separation dept.
An anonymous reader writes "Microsoft has denied Windows 8 SmartScreen is spying after research by Nadim Kobeissi indicated otherwise." Whether it's "spying" or not, Microsoft is collecting certain information with SmartScreen — the key is what's done with it: The article quotes a Microsoft spokesperson: "We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties."
This discussion has been archived. No new comments can be posted.

Microsoft Denies Windows 8 App Spying Via SmartScreen

Comments Filter:
  • Disable it! (Score:5, Informative)

    by zenlessyank (748553) on Saturday August 25, 2012 @05:51PM (#41125477)
    There is a check box where you can disable this 'feature' before installation. Nothing to see here....
    • Re: (Score:3, Informative)

      by menegator (539434)

      There is a check box where you can disable this 'feature' before installation. Nothing to see here....

      Why is the parent moded -1?

      • Re: (Score:2, Insightful)

        by fnj (64210)

        Maybe because he completely misses the point.

        • Re:Disable it! (Score:5, Interesting)

          by Shining Celebi (853093) on Saturday August 25, 2012 @07:12PM (#41125879) Homepage

          Just read the Ars Technica article. [arstechnica.com] The Slashdot headline is ridiculously slanted, as was the previous story.

          While I disagree with it in principle - I'd rather it be local, like how Firefox uses a local version of the bad-sites list, this is not in any way unusual or awful behavior, and it's mostly a good idea, and Microsoft has been completely open about how and why they're doing this and giving you an easy way to turn it off. It is not some privacy invading nightmare. Microsoft is not keeping track of what programs you download (unless, obviously, you get them through the Microsoft store.)

          Slashdot stories are becoming more and more ridiculous. The summaries are never even worth reading anymore.

          • The summaries are never even worth reading anymore.

            No one reads TFA any more, you're just now coming around to the idea of not reading the summaries, while many of us have been just reading the headlines for quite some time...

            • by Aighearach (97333)

              The summaries are never even worth reading anymore.

              No one reads TFA any more, you're just now coming around to the idea of not reading the summaries, while many of us have been just reading the headlines for quite some time...

              I've been doing it that way for at least 10 years. Now be a good boy sonny and fetch my pills for me, I can't seem to find them...

          • Re:Disable it! (Score:5, Interesting)

            by rtfa-troll (1340807) on Sunday August 26, 2012 @01:42AM (#41127663)

            There are a whole load of "suddenly technically knowlagable" people dissembling here (I'd hate to say shills; but somewhere someone is feeding in disinformation).

            • the application sends checksums to Microsoft
            • those checksums correspond one to one to applications
            • Microsoft will normally know which application is which
            • that information will be discoverable by the Police / authorities etc.
            • the application is no by default and does not ensure the user knows how it functions.

            Now let's have a look at some of the language being used in the Ars Technica article.

            This would allow the company to make some estimates of which IP addresses were running which software.

            "some estimates" implies that there wold be uncertainty; that Microsoft wouldn't be able to say 100% that you were using a piece of software. Maybe it is Tor; maybe it's actually Tornado the game. The implication is a humal level of uncertainty which just doesn't apply.

            "which IP addresses" implies that Microsoft would not know who you are. This shows an even greater level of deception. It's even trying to imply that your information may not be linked, if, for example, you change IP addresses. Microsoft has your software registration. Microsoft knows about your usage of Bing. Microsoft has your passport account. If any company other than Google can link your IP address to a particular person; that company is Microsoft.

            Compared to this Ars Technica article, Slashdot is a haven of technical superiority and higher journalistic ethics and integrity. Maybe Anonymous Coward could set up a journalism course for the guys at Ars Technica.

            Finally let's look at Microsoft's statement in the article (N.B. we don't get told what question this is an answer to; note that it might potentially be Microsoft answering to a question about their web sites in which case Ars Technica is again doing the deception; let's take it at face value however).

            We can confirm that we are not building a historical database of program and user IP data. Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs.

            The entire point of this service is to build up a "historical" database of executables. It works by identifying those downloads which are known and safe by how often they are downloaded and builds up a "reputation". Ars Technica describes this as "anonymised" without going into details. If you think that they don't at least have the IP network address then I have a bridge to sell you. Let me explain a simple exploit for you: before releasing your malware, repeatedly download it on each of your computers Microsoft will sign it as as having a good reputation. Microsoft's only possible defence against this is to ensure that it knows, at least to some level, which IP addresses used which software.

          • Yet no one cares that Firefox and Google do exactly the same thing, plus that they do it with a unique key for every Firefox install. That key allows Google to identify a firefox session, even when it's "In Private"

            If you block the connection to Google's Safe Browsing service at either the firewall or proxy server, then the firefox installs silently fail. You Must disable the check in about:config (safe) to do so and there are six entries and every one has to be reset to off otherwise safe browsing is not

            • by cayenne8 (626475)

              If you block the connection to Google's Safe Browsing service at either the firewall or proxy server, then the firefox installs silently fail. You Must disable the check in about:config (safe) to do so and there are six entries and every one has to be reset to off otherwise safe browsing is not disabled.

              Interesting....do you by chance have any links to instructions on how to disable all of this in FF?

      • Re:Disable it! (Score:5, Informative)

        by CrazyDuke (529195) on Saturday August 25, 2012 @05:57PM (#41125517)

        Look in his history: His Karma is negative. The comment hasn't even been modded.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          That happens here when you legitimately defend Microsoft.

        • by swell (195815)

          "Look in his history: His Karma is negative. The comment hasn't even been modded."

          Don't believe the history of zenlessyank, or anyone else. At least in my case, every comment score is wrong, on the low side. How's yours? The history function should be fixed or removed- it's been broken far too long.

          OTOH, zenlessyank is remarkably fond of exclamations--used in most titles. Those exclamations tend to be rants, many with a religious undercurrent. Zenlessyank is not given to subtlety which may have something to

          • by b4dc0d3r (1268512)

            Mine is pretty accurate, considering I have a +2 Karma bonus, so I don't need many pluses to get a 5, and usually get 15 mod points at a time, with a rare 5 from time to time.

            zenlessyank's history is not informative based on the scores, because negative karma grants you anywhere from +2 to -1 automatically. It doesn't matter what a post score is. Just read the comments. I find history invaluable when moderating, because it can help when I can't determine when someone is sarcastic or genuinely idiotic.

            A f

            • by swell (195815)

              "Comment: Re:Disable it! (Score 1)
              by b4dc0d3r on 12-08-25 21:14 (#41127109) Attached to: Microsoft Denies Windows 8 App Spying Via SmartScreen

              Mine is pretty accurate..."

              Actually, it's not... Your History (excerpt above) says that comment is a Score 1, while the comment in the context of TFA says you earned a Score 2.

              Likewise, my comment in History: "Re:Recourse (Score 4, Interesting)" actually earned a Score 5. As I mentioned, almost all my History is wrong, in a negative way.

              I've checked my history several

      • by kheldan (1460303)

        Why is the parent moded -1?

        Likely because the jackass population on /. is too high and they enjoy modding people down for no damned good reason.

        Personally I don't care if this feature is used to spy or not. I won't buy or use Windows 8 if I can possibly avoid it. I'd dump everything and finally switch to some flavor of Linux first.

    • Re:Disable it! (Score:4, Insightful)

      by Anonymous Coward on Saturday August 25, 2012 @06:18PM (#41125637)

      There is a check box where you can disable this 'feature' before installation.
      Nothing to see here....

      Because at least 1% of Windows users are capable of installing the OS themselves.

      • by hairyfeet (841228)

        And if you get it pre-installed there is a checkbox in Action center that kills it, which if you are so clueless that you can't even uncheck a checkbox in a GUI? Really having a hard time feeling sorry for you.

        Besides frankly the whole subject is moot anyway, you are talking about an OS that gets articles like Windows 8...yes its THAT bad [infoworld.com] and is the subject of parody before its even released [youtube.com] so I kinda doubt its gonna be seeing much use on anything but tablets. Hell the only reason it'll be seeing ANY use o

        • And if you get it pre-installed there is a checkbox in Action center that kills it, which if you are so clueless that you can't even uncheck a checkbox in a GUI? Really having a hard time feeling sorry for you.

          Normally I would agree with you, but having done a whole lot of Windows support over the years? There are way too many people out there (I daresay a majority among the consumers) who doesn't even know what an Action Center is, or what the smartscreen feature really does, let alone know to go there and uncheck the box. To top it off, odds are good (disclosure, I haven't looked) that disabling the feature will come with a pop-up window warning dire consequences if the user goes through with opting-out. (simil

          • by hairyfeet (841228)

            Dude, I've been building, repairing, and selling Windows machines since 1993, so I know of which I speak, and those people? Those are MY CUSTOMERS and I happily turn off any cycle sucking bullshit, just as I turn off all the extra "bling bling" animations in Windows. You'd be surprised how many compliments of "Wow, I don't know what you did, but its sure fast and snappy now!" when all I did was kill all the cycle sucking horseshit.

            So don't worry friend, because people THAT clueless? Come to me soon enough

          • by bloodhawk (813939)
            IF someone is not smart enough to work out how to turn it off, then chances are these are the EXACT people that should have this feature on.
      • Re:Disable it! (Score:4, Informative)

        by Missing.Matter (1845576) on Saturday August 25, 2012 @07:41PM (#41126023)
        The check box appears on first account setup, so any use buying a new PC will see it too.
        • Re:Disable it! (Score:4, Interesting)

          by Ol Olsoc (1175323) on Saturday August 25, 2012 @07:54PM (#41126123)

          The check box appears on first account setup, so any use buying a new PC will see it too.

          The choice should be Opt-in, rather than Opt-out. This is just like their old "everything is enabled" features. It's not hard to have a screen pop up asking you if you want this info reported to Microsoft. Then you say "Yes or no. Then if you are okay, click on that yes, if not, nothing happens.

          • by PNutts (199112)

            I prefer all security settings default to enabled and I turn off what I don't need. Especially considering the wider Windows audience.

        • by b4dc0d3r (1268512)

          Yes, it appears as a check-box (or equivalent), labeled "SmartScreen".

          Who do you think knows what that means? Especially when you are setting up your computer and can't just search for what it means because the desktop is not yet available?

          It sounds safe and secure, so you statistically will leave it allowed. Will you write it down for further research on whether to leave it checked, and if not how to un-check it? Statistically, no.

          Users will see it, but not understand it.

          Since I have already posted here

          • Yes, it appears as a check-box (or equivalent), labeled "SmartScreen".

            No, it does not. The exact text next to the checkbox is: "Use Windows Smartscreen Filter to Check Files and Apps with Microsoft." This is a very brief yet clear description of what the feature is and that you will indeed be checking in with Microsoft with respect to files and apps.

            Especially when you are setting up your computer and can't just search for what it means because the desktop is not yet available?

            Clearly you don't know what you're talking about. Have you ever actually installed Windows 8? There are two links right there in the overview screen for Express Settings. One goes into detail what each setting is for and what it d

    • by fustakrakich (1673220) on Saturday August 25, 2012 @06:45PM (#41125757) Journal

      The elevator has a "close door" button inside. Do you believe it actually functions?

      • Horrible point, since in many cases it does function.
      • It does work in my workplace. I guess it depends on whether you trust your users to use the button properly. My workplace does, my apartment does not.

      • by Khith (608295)
        Sure! It works just as well as those crosswalk signal buttons.
        • by Hatta (162192)

          Around here the crosswalk buttons are at least hooked up and responsive. I will get a walk signal if and only if I press the button, otherwise the traffic lights change but the don't walk signal stays lit. I do still doubt that they affect the timing of the lights, but they are connected to something.

    • Re:Disable it! (Score:5, Insightful)

      by king neckbeard (1801738) on Saturday August 25, 2012 @06:55PM (#41125799)
      Most users do not install their own OS, and being on by default is problematic.
    • Re:Disable it! (Score:5, Informative)

      by Missing.Matter (1845576) on Saturday August 25, 2012 @07:25PM (#41125935)
      Not only do they allow you to turn it off during install, they provide a detailed explanation of what the feature does, what data they collect, how they use the data, and how you can turn the feature off during install and after install. This seems to be just about all the information a user needs to make an informed decision about whether or not to leave smart screen on. if the user opts not to read this information and clicks right through the express settings without caring about the consequences, perhaps that's exactly the kind of user this smart screen filter aims to protect; odds are they have the same lackadaisical attitude when install Ing random software from the internet. Its self selecting really.

      Here is a link to my comment from yesterday, which has the exact text relevant to smart screen you encounter on install: http://slashdot.org/comments.pl?sid=3070309&cid=41111521 [slashdot.org]
      • should be opt-in, not opt-out... should never be ticked on by default... the decision for the user should be whether to turn it on... not whether to turn it off...
    • by slick7 (1703596)

      There is a check box where you can disable this 'feature' before installation. Nothing to see here....

      Critical Update required, for national security.

    • by antdude (79039)

      How about after installation? :P

    • People stupid enough to not disable it are the type that also install MyWebSearch and Freeze and Maps Galaxy and I'd name more but I probably already set off your protection program with this post lol. So that actually fits perfectly, as it sounds like it may warn people about rogue co-installers on "free" games and registry utilities and crap.
    • by golodh (893453)
      And you actually believe that checking the "Disable it" box will disable this facility? Or that it will not be re-enabled with just about any update?

      This, unfortunately, is where the disadvantage of closed-source strikes: you cannot really verify that a device serves you instead of someone else. As soon as you install a binary, or a patch, you hand over control of your device to whoever wrote the code. We all know that. You basically need to trust the one pushing the patches to you.

      Now that's not the en

  • Using all user's "anonymous" information to offer a better experience. Lets of people accept it from Google. Will they accept it from Microsoft?
    • by toolo (142169)

      Yep.. when you get a new 'droid, iPhone or iPad, all of your apps automatically reinstall...wonder how that happens. Just because it's Microsoft this is an issue. Actually SmartScreen on Windows 8 is a good way to see what my kid is doing on the Internet without some 3rd party crapware that is definitely using your shit in ways you don't know about. And as other posters have said you can just turn it off.

      • by kwark (512736) on Saturday August 25, 2012 @06:17PM (#41125629)

        "Yep.. when you get a new 'droid....automatically reinstall...wonder how that happens."

        Not much to wonder about, on Android you have to opt-in to this service.
        Settings -> Privacy:
        Back up my data [ ]

        • Do you opt-in to Chrome sending your URLs to Google?

          Because that would be the equivalent analogy. SmartScreen sends URLs and file hashes to Microsoft, the exact same way Google's anti-malware sends URLs to Google to compare against a blacklist.

          And besides, that, Google "collects" information about what you download through their store, in the same sense - you can't download the app without them knowing your IP, which is the same information Microsoft is getting. If you really cared about this kind of privac

          • by kwark (512736)

            -you opt to install/use chrome, it doesn't come standard. I presume people read the EULA if they install software! Same goes for Firefox BTW.
            -Google collects info on what you download from the Google store. Flip the checkbox to install from other sources, Google doesn't get that info. So not exactly the same as all downloads are send to OS manufacturer.

            • Flip the checkbox to turn SmartScreen off then.

              It's equally as simple. Probably simpler - never used an Android phone. Both are opt-out from your description, and the SmartScreen functionality seems to be outright presented as an option on installation.

              I am also pretty sure that Chrome does, in fact, come standard on Chrome OS and I assume that the default web browser on Androids is Chrome or some variant thereof that sends your URLs to Google same as Chrome does.

        • by wvmarle (1070040)

          I think it's more like the Play Store knows what you have/had installed and will automatically re-install this. After all they do keep track of what you have installed. Backing up data is, afaik, just data: your own data. Not the apps themselves.

          No direct experience with that reinstall part myself, still on my first Android.

        • It actually asks you about that when you activate the new device and specify your Google ID during initial setup. And if I remember correctly, the default was "yes".

          Win8 similarly asks when you run it for the first time, while setting up the user account (and the default is also "yes").

  • by sylvandb (308927) on Saturday August 25, 2012 @05:58PM (#41125521) Homepage Journal

    Collecting the information IS spying.

    How the information is used after being collected does not matter for determining spying, only the motivation for spying.

    • by Hatta (162192)

      Let's use Microsoft's language to see if we can justify other instances of spying:

      "We donâ(TM)t use this hole in the girl's lockerroom wall to identify, contact or target advertising to our users and we donâ(TM)t share it with third parties."

      Does that work? No? Then why should it work here?

  • Note that they only say they don't do these things *now*. They don't say they won't in the future.

  • Sensationalism (Score:5, Insightful)

    by Altanar (56809) on Saturday August 25, 2012 @06:08PM (#41125577)
    I see /. is in for another round of anti-Windows 8 sensationalism. Please read the Ars Technica article [arstechnica.com] talking about this before commentating.
    • Re:Sensationalism (Score:5, Insightful)

      by LateArthurDent (1403947) on Saturday August 25, 2012 @06:42PM (#41125743)

      I see /. is in for another round of anti-Windows 8 sensationalism. Please read the Ars Technica article [arstechnica.com] talking about this before commentating.

      Ah, sweet irony. Your Ars Technica article links to a wired article that argues cryptocat is no more secure than using no crypto at all, because it relies on host security, and then proceeds to defend Smart Screen using a host-security argument.

      If you don't care Microsoft gets access to which programs you run / trust that they will keep the data anonymized and periodically delete the logs as you claim, by all means, don't turn off Smart Screen. That said, they have all the data they need to keep a record if every program you run, and I'd rather not take them at their word that they won't do anything bad with it.

      • In other news Apple collects information for every app users install on their iPhones. So will MS on WinRT tablets and Win 8 Metro environment. In a world like this only an idiot can point a finger in a security service that uses hashes and can be turned off.

      • by cbhacking (979169)

        I was wondering how long it would take before somebody brought up Cryptocat, and whether the person doing so would have a clue or not. Looks like the answers are "not long" and "no".

        The goal of SmartScreen is to warn the user against running malicious software. The goal of Cryptocat is to make a user's chat session completely untappable. Not only are these two goals quite different, but most of the weaknesses of Cryptocat are based on an environment that SmartScreen simply doesn't have. Also, it's not "no m

        • Cryptocat has two major weaknesses against its current implementation

          I wasn't arguing for the security of cryptocat. I hadn't even heard of it before I saw the article. I was merely commenting on the irony that the same (in my opinion, very valid arguments) against cryptocat in the wired article linked in the Ars Technica article would also apply to Smart Screen.

          Also, it's not "no more secure than using no crypto at all"

          Right, I doubt that would be the case too, but from the article I'm talking about, "More generally, your security in a host-based encryption system is no better than having no crypto at all."

          Basically, that article

    • I see /. is in for another round of anti-Windows 8 sensationalism.

      Yep, reminds me of all the Visa BS. Win will they learn, eh? Just because MS sometimes makes a shit OS every once in a while, doesn't mean any of the others are any more acceptable.

  • by Ransak (548582) on Saturday August 25, 2012 @06:26PM (#41125681) Homepage Journal
    TFA just says they aren't doing anything with the information... for now. That doesn't mean the FBI or whatever 3 letter agency can't put a shunt between the Internet and their SmartScreen servers. It's a sniffing vector.
    • A fair point, no doubt; but the word "deny" in Microsoft-context carries pretty strong connotations of incredulity. I think the title simply serves as a sort of aperitif, which worked well enough for me. In other words, Microsoft can deny whatever it wants and (knock on wood) people will still proceed to think.
    • by cbhacking (979169)

      So what? If the feds want to know what you're downloading and such, it's a hell of a lot easier to go through your ISP. Smartscreen as a sniffing vector is technically true but completely irrelevant to the difficulty of the attack you propose.

      • That confuses me slightly. I have vague recollections of using my computer while away from home. And if laptops are actually becoming more popular than desktops, I fear I may become more confused. Naive as I am though, I'd probably even say that laptops are already more popular than desktops, and 'mobility' seems to be one their most marketable features. Now if I changed my MAC address before connecting to another random ISP, how would they identify me? Maybe you are like me in assuming ISPs like Verizon h
    • by Ol Olsoc (1175323)
      It's a matter of credibility.

      That screen is telling you that Microsoft is protecting your privacy. Perhaps sending the IP of every site you visit and every file you download is protecting your privacy? Doubleplusgood!

      Oh, wait. You send the "Do not Track" button. With all due respect, I suspect that once you hit the do not track button, your IP addresses, history and downloads will be considered much more interesting to people who might find them interesting because you asked them not to track you.

  • However (Score:3, Informative)

    by Anonymous Coward on Saturday August 25, 2012 @06:35PM (#41125715)

    Apple knows not only what applications you have, when you use them, how many times you use them, but where you are down to a resolution of 10m anywhere on the planet you are, at anytime.
    doesnt matter if you are a politician, gangster or regular joe

    and you are worried about Microsoft ? lol

    bottom line is:
    do you trust an "American" multi national company with your personal data ?

  • by 93 Escort Wagon (326346) on Saturday August 25, 2012 @06:44PM (#41125751)

    Because this particular story needs to be marked "-1, Flamebait".

  • Is there a way to turn it off after installation? I will also mention the fact that a bunch of bundled software can be gotten rid of after you turn on your brand new laptop/PC.

    • by cbhacking (979169)

      Yes. It can be turned off at install, at first boot (for pre-loaded images), or at any time while logged in. There are even instructions from Microsoft for doing so!

  • So, if i f%^$^%$% you, without your consent, that does not mean that i rape you, nooooo,i am just f^^%$^%$^% you.
  • Of course Microsoft is spying. They have admitted that they are receiving the data they were accused of receiving. At best they're saying that they won't use the data for advertising purposes.

    If they wanted to do this without spying, they could load the signatures of the top 10,000 known-good executables into a file sent out with Windows Update. Those wouldn't need to be checked. Only when some unknown executable showed up would a remote check be necessary.

    When a remote check is necessary, Microsoft on

  • "We don't use this data to identify, contact or target advertising to our users and we don't share it with third parties."

    There are certain grammatical rules in BusinessSpeak which should be kept in mind. For example, in proper BusinessSpeak, the phrase "At this time" which goes before "we" in the preceding quotation is silent.

You don't have to know how the computer works, just how to work the computer.

Working...